Google exposes G Suite issue that stored plain-text passwords on its servers for 15 years
Google has begun forcing “a subset of our enterprise G Suite customers” to change their passwords after an issue that inadvertently left passwords exposed for more than a decade.
In a post to its Google Cloud blog Tuesday, the company outlined an error made back in 2005 that stored a copy of actual user passwords rather than the usual scrambled “hashed” version, thus making it possible for an outside attack to gain access to usable passwords. Google explains that the issue has been fixed and the company has “seen no evidence of improper access to or misuse of the affected passwords.”
Google says the passwords were still stored on its “secure encrypted infrastructure,” so the likelihood of an outside attack was low.
Google blames a legacy feature set for the issue. Back in 2005, G Suite domain administrators were given the ability to set and recover passwords on the client side for their own users, so they needed access to unhashed passwords. Google has since jettisoned this functionality and requires all G Suite passwords to be reset rather than recovered, just like Gmail.
Additionally, Google unearthed a separate issue that started in January that also led to unhashed passwords being stored for up to 14 days. Like the other issue, Google has fixed the problem and hasn’t found any evidence of “improper access to or misuse of the affected password.”
As a result, Google is informing all affected clients to change impacted passwords and will reset any that aren’t manually changed. Google apologized for the issue and promised it “will do better” in the future.
While this particular issue doesn’t affect Gmail users (outside of G Suite subscribers), it drives home the need to use strong, unique passwords for every critical site and service you use. If you aren’t using a password manager yet, you should be. Our roundup of the best password managers can get you on the right track if you need help selecting one.